Le 21/04/2021 à 04:23, Jordan Niethe a écrit :
On Wed, Mar 31, 2021 at 10:24 PM Michael Ellerman <m...@ellerman.id.au> wrote:
Jordan Niethe <jniet...@gmail.com> writes:
From: Russell Currey <rus...@russell.cc>
Optionally run W+X checks when dumping pagetable information to
debugfs' kernel_page_tables.
To use:
$ echo 1 > /sys/kernel/debug/check_wx_pages
$ cat /sys/kernel/debug/kernel_page_tables
and check the kernel log. Useful for testing strict module RWX.
To disable W+X checks:
$ echo 0 > /sys/kernel/debug/check_wx_pages
Update the Kconfig entry to reflect this.
Also fix a typo.
Reviewed-by: Kees Cook <keesc...@chromium.org>
Signed-off-by: Russell Currey <rus...@russell.cc>
[jpn: Change check_wx_pages to act as mode bit affecting
kernel_page_tables instead of triggering action on its own]
Signed-off-by: Jordan Niethe <jniet...@gmail.com>
---
v10: check_wx_pages now affects kernel_page_tables rather then triggers
its own action.
Hmm. I liked the old version better :)
I think you changed it based on Christophe's comment:
Why not just perform the test everytime someone dumps kernel_page_tables ?
But I think he meant *always* do the check when someone dumps
kernel_page_tables, not have another file to enable checking and then
require someone to dump kernel_page_tables to do the actual check.
Yes, I guess I misinterpreted that.
Still I like the previous version where you can do the checks
separately, without having to dump the page tables, because dumping can
sometimes take quite a while.
What would be even better is if ptdump_check_wx() returned an error when
wx pages were found, and that was plumbed out to the debugs file. That
way you can script around it.
Ok I'll go back to how it was and add in returning an error.
I have a series to convert PPC_PTDUMP into GENERIC_PTDUMP, see
https://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=239795
cheers
